Canary Intelligence API
Real-Time Early-Stage Attack Telemetry
The Canary Intelligence API delivers live attacker telemetry sourced from our distributed honeypot network β giving your security teams visibility into credential validation, account probing, and fraud testing activity before attacks escalate.
Detecting compromise after damage occurs
At the first sign of hostile intent
City of Hats isn't watching breaches happen β we're watching attackers while they attack.
Traditional honeypots sit and wait. Our canaries are designed to be discovered β and send real-time intelligence when attackers engage.
What This API Provides
The API streams anonymized attack event signals from the City of Hats Honeypot Network and partner deception infrastructure.
Attack Signals Detected
- Credential test attempts
- Automation fingerprinting
- Attacker infrastructure clues
- SIM-swap reconnaissance
- Replay & credential stuffing prep
- Account validation probes
- Fake checkout & fraud testing signals
Privacy-First Telemetry
- No PII
- No personal user activity
- Just attacker behavior
Why This Matters
Most systems only see attack activity when it reaches them.
City of Hats sees: the attacker practicing β before the real attempt.
This enables:
Example Canary Signal
{
"event_type": "credential_testing",
"timestamp": "2026-01-03T04:12:11Z",
"source_country": "RU",
"infrastructure": "residential-proxy",
"attack_confidence": "high",
"related_domain": "example-company.com",
"threat_stage": "TESTING",
"recommended_action": "monitor_or_step_up_auth"
}Signal Breakdown
event_type
Type of attack behavior detected
infrastructure
Attacker's proxy/network type
attack_confidence
How certain this is malicious
threat_stage
Position in attack funnel
Relationship to Risk Scoring
Canary telemetry is a high-value signal into the Risk Engine β especially when:
Together, they answer:
"Is this identity being prepared for attack?"
Example Use Cases
Fraud & FinCrime
Detect synthetic identity test runs before loan or account abuse attempts.
E-Commerce Trust
Detect credential-stuffing prep before bots reach checkout.
Workforce Security
Identify hostile reconnaissance before corporate account compromise.
Telecom & Carrier Defense
Detect SIM-swap reconnaissance activity before takeover events.
API Reference
curl -X GET "https://api.cityofhats.com/v1/canary/signals?limit=50&threat_only=true&since_hours=24" \
-H "Authorization: Bearer YOUR_API_KEY"{
"signals": [
{
"id": "sig_82933",
"event_type": "credential_testing",
"confidence": "high",
"source_region": "EU",
"proxy_type": "residential",
"threat_stage": "TESTING",
"related_domain": "example.com",
"timestamp": "2026-01-03T04:12:11Z",
"recommended_action": "monitor_or_step_up"
}
],
"total_count": 142,
"time_range": "24h"
}/v1/canary/threat-feed
High-confidence threat signals only
/v1/canary/campaigns
Grouped attack campaigns
/v1/canary/stats
Network statistics & trends
Response Field Reference
event_type
string
credential_testing | account_probe | sim_recon | fraud_test
confidence
string
low | medium | high β signal confidence
source_region
string
Geographic origin of attack (ISO region)
proxy_type
string
datacenter | residential | mobile | tor
threat_stage
string
TESTING | ATTACK β position in funnel
related_domain
string
Target brand/domain being tested
recommended_action
string
monitor | step_up | block | alert_soc
Threat Funnel Alignment
Canary signals typically appear at these critical stages:
- Credential rehearsal
- Account validation
- Bot testing runs
- Live credential abuse
- Session hijacking
- SIM takeover
Which means: Customers detect threats before monetization ever begins.
Example Automation Triggers
IF:
- Canary confidence =
high - AND Credential exposure =
true
ACTIONS:
- π Enforce step-up auth
- π Monitor transaction behavior
- π¨ Alert SOC
No human approval needed. Intelligence-driven automation at machine speed.
Where It Plugs In
Canary signals flow seamlessly into your existing security and fraud infrastructure.
SIEM
Real-time event ingestion for Splunk, Sentinel, Chronicle
SOAR
Automated playbooks and response orchestration
Threat Intel
Enrichment feeds for TIP platforms
Fraud Engines
Risk signals for decisioning systems
Also integrates with:
π Privacy & Controls
Adversary intelligence β not surveillance.
- No user monitoring
- No behavioral fingerprinting
- No data resale
- Fully anonymized telemetry
- Enterprise governance controls
- SOC 2 Type II compliant
β‘ Performance & Delivery
Built for real-time security operations.
- Real-time streaming or polling
- Global honeypot coverage
- Built for SIEM / SOAR ingestion
- Low-latency enrichment
- 99.9% uptime SLA
- Enterprise throughput
Why Enterprises Choose Canary Intelligence
Threat feeds tell you what already happened. Canary tells you what attackers are planning.
The Canary Intelligence API gives your organization a strategic early-warning system β detecting attacker behavior before credentials are weaponized and accounts are compromised.
Start Using Canary Intelligence API
Detect attackers while they practice. Get early-warning telemetry before credentials are weaponized.